Tagged Questions

A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site. The state information can be used for authentication, identification of a user ...

I'm working on encrypting a web application's cookie. Using symmetric AES/CBC, I encrypt the cookie data before writing it out, and then decrypt it when reading it back in - the standard stuff.
The ...

A website based on Apache Struts uses central authentication service (cas) for login. I'd like to know if additional csrf protection needs to be provided with Struts in case cas doesn't provide that.
...

I am developing a site which uses http only cookies for authentication. By design[w3 standard] these cookies are XMLHttpObjects and will only be submitted to the domain they originated from to prevent ...

I own a web application (single page application with Angular), that asks for some data through a set of REST APIs based on my server-side application (using Play Framework 2.2.1).
So basically, I'm ...

I would like to note that I've read the other question with an embarrassingly similar title and it does not contain an answer to my question.
I have not used CodeIgniter as a programmer, but I have ...

I have a web-site written in nginx.conf — http://mdoc.su/ — which essentially accepts two parameters, an operating system and a manual page name, and does a redirect to a different site based on the ...

I have a (hobby) web site that runs only on SSL (i.e., site-wide HTTPS). The site does not deal with finances, social security numbers, or anything of that level of importance. However, I'd like to ...

I'm developing a web application that is basically for all our employees.
Right now we have 3500 employees and all of them will access this web application.
All of them will use really confidential ...

As a follow up to the Related Domain Cookie Attack question, I'd like to see if there are any servers that are able to detect instances where multiple cookies are sent from multiple domains.
In other ...

I have a few sites that are using HTTPS (no mixed mode HTTPS/HTTP).
The cookies do not have a HTTPOnly flag set. They do pass along session IDs.
Also some of the sites do not have a "Secure"flag set ...

Egor Homakov made a nice writeup (Cookie Bomb or let's break the Internet) on how to crash CDNs and other websites with cookies.
Although this is a user/browser-side DOS, I'm wondering how one would ...

I was researching on internet security. When I reached at section Cookies, I happened to read that the values inside a cookie are generally stored only after encrypting them. But an encryption can be ...

I am using Django which is a web framework for Python. I love it but the session handling is cookie-based. Now over SSL I'm sure it's reasonably "secure" but I don't think there is any kind of fail ...

Let's say I had a Gmail account. Should I just not have a Gmail account, or should I not use their cookies? How bad are the cookies, in of themselves? I obviously wouldn't log into it, with my VPN or ...

CRIME mitigation involves disabling TLS compression. My server offers services only via XML-RPC and does not make use of Cookies, which is what CRIME exploits. Does this mean that I can turn on TLS ...

A website takes the following request and sets the "_Add_User" as a cookie in the response:
Request
GET /cgi-bin/webscr?cmd=_Add_User HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows ...

I don't understand the purpose of securecokie package from gorilla. https://github.com/gorilla/securecookie/blob/master/securecookie.go. I can see that it's being used get the cookie value on server ...

The following post is in regards to headless *nix machines only...
I know programs like wget allow options to control cookies. However if a program is not HTTP centric, has little or no options for ...

I want to know the basic working of session cookies. When i tried googling, most of the results came were based on any programming language. I am not good at coding. So it will be helpful if someone ...

I'd like to audit the claims that are sent to a client from a SAML/p or WS-Trust authentication.
What private keys do I need and how would I decrypt this information?
If it makes any difference, I'm ...

Windows 10 was released with a new browser called Microsoft Edge. Interestingly, Internet Explorer is also installed on the same default install. Given that Chrome and Firefox tend to separate their ...